AuditXYZ

Compliance Framework

Colorado Privacy Act

The Colorado Privacy Act grants residents rights over personal data and requires businesses to honor universal opt-out mechanisms, conduct data protection assessments, and obtain consent for sensitive data processing.

$5,000–$75,0002–6 months2021 (enforced July 1, 2023)
Request a ConsultationSee process
Issuing BodyColorado General Assembly
First Published2021-07-07
Latest Version2021 (enforced July 1, 2023)
Typical Cost$5,000–$75,000
Typical Timeline2–6 months
Audit RequiredNo
Audit FrequencyNo mandatory external audit. Data protection assessments required for high-risk processing activities.
Geographyus-colorado

CPA: The Complete Guide

The Colorado Privacy Act, signed into law in July 2021 and effective July 1, 2023, is one of the most consumer-friendly state privacy laws in the United States. It stands out for its requirement that businesses recognize universal opt-out mechanisms, making it easier for consumers to exercise their privacy preferences across multiple organizations simultaneously.

What the CPA Covers

The CPA grants Colorado consumers rights to access, correct, delete, and obtain a portable copy of their personal data. Consumers may also opt out of targeted advertising, the sale of personal data, and profiling that produces legal or similarly significant effects.

A distinguishing feature of the CPA is its universal opt-out mechanism requirement. Controllers must recognize technology-enabled signals such as the Global Privacy Control (GPC) that communicate a consumer's opt-out preferences automatically.

The law requires purpose limitation and data minimization, restricting collection to what is reasonably necessary for specified purposes. Sensitive data — including racial or ethnic origin, health data, biometric identifiers, and precise geolocation — requires affirmative opt-in consent before processing.

Who Needs to Comply

The CPA applies to entities that conduct business in Colorado or intentionally target Colorado residents and either control or process the personal data of 100,000 or more Colorado consumers annually, or control or process the data of 25,000 or more consumers while deriving revenue or receiving a discount on goods or services from the sale of personal data.

The law exempts entities and data covered by HIPAA, GLBA, FERPA, and other federal frameworks. Nonprofits and higher education institutions are also excluded.

Enforcement

The Colorado Attorney General and district attorneys have exclusive enforcement authority. The initial 60-day cure period expired on January 1, 2025, after which regulators may pursue enforcement without offering a cure opportunity. Civil penalties are assessed under the Colorado Consumer Protection Act.

Practical Compliance Steps

  1. Universal opt-out — Implement recognition of GPC and other universal opt-out signals
  2. Consent management — Deploy opt-in mechanisms for sensitive data processing
  3. Consumer rights workflows — Build intake and fulfillment processes within 45-day deadlines
  4. Data protection assessments — Document assessments for targeted advertising, sale, profiling, and sensitive data processing
  5. Privacy notice updates — Disclose categories of data, purposes, rights, and opt-out methods

Get the CPA starter pack

By submitting, you agree to our privacy policy.

Framework Mappings

Related frameworks

ccpacpravcdpactdpagdpr

Get matched with a CPA auditor in 24 hours

Free, no-obligation — just tell us your email and we'll do the rest.

By submitting, you agree to our privacy policy.

Related Frameworks

CCPA
Framework
The CCPA is California's landmark consumer privacy law granting residents the right to know, delete, and opt out of the sale of their personal information. This guide covers applicability thresholds, consumer rights, and practical compliance steps.
View
CPRA
Framework
The CPRA amends and expands the CCPA, introducing new consumer rights, the concept of sensitive personal information, the California Privacy Protection Agency, and mandatory cybersecurity audits for high-risk businesses.
View
CTDPA
Framework
The CTDPA is Connecticut's comprehensive data privacy law, closely modeled on the VCDPA and CPA, with additional provisions for universal opt-out mechanisms and loyalty program disclosures.
View
GDPR
Framework
The GDPR is the world's most influential data protection law, setting the standard for how organizations collect, process, and protect personal data of individuals in the EU and EEA. This guide covers lawful bases, data subject rights, breach notification, and practical compliance steps.
View
VCDPA
Framework
The VCDPA is Virginia's comprehensive consumer data protection law, granting residents rights over their personal data and imposing obligations on businesses regarding data processing, consent, and protection assessments.
View

Recommended Tools

6clicks Review 2026: Pricing, Features, and Verdict
Tool
Review of 6clicks, the AI-powered GRC platform with hub-and-spoke architecture. Covers Hailey AI, multi-entity support, pricing, and ideal use cases.
View
Akitra Review 2026: Pricing, Features, and Verdict
Tool
Review of Akitra, a compliance automation platform with broad framework coverage including FedRAMP and CMMC. Covers pricing, features, and who should use it.
View
Anecdotes Review 2026: Pricing, Features, and Verdict
Tool
Review of Anecdotes, a compliance OS that aggregates security tool data. Covers the aggregation approach, AI gap analysis, and comparison with Vanta.
View
Anecdotes Trust Center Review 2026: Pricing, Features, and Verdict
Tool
Review of Anecdotes Trust Center, the compliance-as-code trust portal. Covers live compliance sync, developer-friendly approach, pricing, and positioning.
View